<p>Deserialization from an untrusted source using the XMLDecoder library can lead to unexpected code execution. For example, it has led in the past to
the following vulnerability:</p>
<ul>
  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4221">CVE-2013-4221</a> </li>
</ul>
<p>XMLDecoder supports arbitrary method invocation. This capability is intended to call setter methods only but nothing prevents the execution of any
other method.</p>
<p>This rule raises an issue when XMLDecoder is instantiated. The call to "readObject" is also highlighted to show where the malicious code can be
executed.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> the XML input can come from an untrusted source and be tainted by a hacker. (*) </li>
  <li> you require the advanced functionalities provided by the XMLDecoder class. If you simply need to deserialize XML you can use a more secure
  deserialization function. </li>
</ul>
<p>(*) You are at risk if you answered yes to this question.</p>
<h2>Recommended Secure Coding Practices</h2>
<p>If you only need a simple deserialization, use instead one of the deserialization libraries <a
href="https://www.owasp.org/index.php/Deserialization_Cheat_Sheet#Mitigation_Tools.2FLibraries">recommended by OWASP</a>.</p>
<p>If you really need to use XMLDecoder, make sure that the serialized data cannot be tampered with.</p>
<h2>Sensitive Code Example</h2>
<pre>
public void decode(InputStream in) {
  XMLDecoder d = new XMLDecoder(in); // Sensitive
  Object result = d.readObject();
  [...]
  d.close();
}
</pre>
<h2>See</h2>
<ul>
  <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A1-Injection">OWASP Top 10 2017 Category A1</a> - Injection </li>
  <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization">OWASP Top 10 2017 Category A8</a> - Insecure Deserialization
  </li>
  <li> <a href="https://cwe.mitre.org/data/definitions/502.html">MITRE, CWE-502</a> - Deserialization of Untrusted Data </li>
  <li> <a href="https://www.owasp.org/index.php/Deserialization_of_untrusted_data">OWASP Deserialization of untrusted data</a> </li>
  <li> Derived from FindSecBugs rule <a href="https://find-sec-bugs.github.io/bugs.htm#XML_DECODER">XML_DECODER </a> </li>
</ul>
<h2>Deprecated</h2>
<p>This rule is deprecated, and will eventually be removed.</p>

